U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

NOTICE UPDATED - April, 25th 2024

NIST has updated the NVD program announcement page with additional information regarding recent concerns and the temporary delays in enrichment efforts.

CVE-2024-1753 Detail

Description

A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.


Severity



CVSS 4.0 Severity and Metrics:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.


NVD Analysts use publicly available information to associate vector strings and CVSS scores. We also display any CVSS information provided within the CVE List from the CNA.

Note: NVD Analysts have not published a CVSS score for this CVE at this time. NVD Analysts use publicly available information at the time of analysis to associate CVSS vector strings.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
https://access.redhat.com/errata/RHSA-2024:2049
https://access.redhat.com/errata/RHSA-2024:2055
https://access.redhat.com/errata/RHSA-2024:2064
https://access.redhat.com/errata/RHSA-2024:2066
https://access.redhat.com/errata/RHSA-2024:2077
https://access.redhat.com/errata/RHSA-2024:2084
https://access.redhat.com/errata/RHSA-2024:2089
https://access.redhat.com/errata/RHSA-2024:2090
https://access.redhat.com/errata/RHSA-2024:2097
https://access.redhat.com/errata/RHSA-2024:2098
https://access.redhat.com/errata/RHSA-2024:2548
https://access.redhat.com/errata/RHSA-2024:2645
https://access.redhat.com/errata/RHSA-2024:2669
https://access.redhat.com/errata/RHSA-2024:2672
https://access.redhat.com/errata/RHSA-2024:2784
https://access.redhat.com/errata/RHSA-2024:2877
https://access.redhat.com/errata/RHSA-2024:3254
https://access.redhat.com/security/cve/CVE-2024-1753
https://bugzilla.redhat.com/show_bug.cgi?id=2265513
https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf
https://github.com/containers/podman/security/advisories/GHSA-874v-pj72-92f3
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FCRZVUDOFM5CPREQKBEU2VK2QK62PSBP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYMVMQ7RWMDTSKQTBO734BE3WQPI2AJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZVBSVZGVABPYIHK5HZM472NPGWMI7WXH/

Weakness Enumeration

CWE-ID CWE Name Source
CWE-269 Improper Privilege Management Provider acceptance level Red Hat, Inc.  

Change History

19 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2024-1753
NVD Published Date:
03/18/2024
NVD Last Modified:
05/23/2024
Source:
Red Hat, Inc.